Security & Compliance Framework

1. Executive Summary

CyberSecurity AD operates under a comprehensive security and compliance framework aligned with:

• EU NIS2 Directive: Advanced cybersecurity standards for critical infrastructure protection
• Dutch Cybersecuritywet 2026: National implementation of NIS2 with sector-specific requirements
• GDPR (General Data Protection Regulation): Data protection and processing requirements
• MITRE ATT&CK & NVD: Reference frameworks for technique mapping and CVE enrichment
• Responsible Disclosure: Coordinated vulnerability reporting for in-scope findings
• ISO/IEC 27001: Information security management system

The framework ensures that autonomous, scope-gated penetration testing maintains the highest standards of security, integrity, and auditability.

2. Risk Management & Assessment

CSAD implements a comprehensive risk management approach aligned with ISO 31000:

• Risk Identification: Regular assessment of threats to confidentiality, integrity, and availability of intel and findings data
• Risk Evaluation: Probability and impact analysis; prioritization of mitigation efforts
• Risk Treatment: Implementation of technical and organizational controls
• Risk Monitoring: Continuous review of risk landscape; adjustment of controls as needed

Key Risks Addressed:

• Unauthorized Access: Mitigation through authentication (MFA), authorization (role-based), and network segmentation
• Data Breach: Mitigation through encryption (TLS 1.3, AES-256), access controls, and intrusion detection
• Insider Threat: Mitigation through background checks, limited privileges, and audit logging
• Supply Chain Compromise: Mitigation through vendor vetting, code review, and isolated deployment
• Physical Theft: Mitigation through secure facility controls and full-disk encryption

3. Data Protection & Encryption

Encryption at Rest:

• Full-disk encryption: All storage devices encrypted with AES-256
• Database encryption: All operational data encrypted at rest using industry-standard algorithms
• Backup encryption: Encrypted backups stored in isolated, access-controlled locations

Encryption in Transit:

• TLS 1.3: All client-server communications encrypted with modern TLS standards
• Mutual Authentication: Server and client mutually verify identity; prevents man-in-the-middle attacks
• Certificate Pinning: Prevents certificate-based attacks
• Perfect Forward Secrecy: Past session keys cannot be recovered if long-term keys are compromised

Data Integrity:

• SHA-512 Hashing: All data verified for integrity; tampering detected instantly
• Cryptographic Signatures: Data signed to prove authenticity and non-repudiation
• Write-blocking: All original data marked as read-only; no modifications possible

Critical Guarantee: Active actions are restricted to the registered scope allowlist; Cybersecurity AD does not act against out-of-scope systems at any point.

4. Access Control & Authentication

Authentication:

• Multi-Factor Authentication (MFA): Required for all system access; combines password + hardware token or biometrics
• Strong Passwords: Enforced complexity requirements; regular rotation
• Session Management: Automatic timeout after inactivity; secure session invalidation on logout

Authorization:

• Role-Based Access Control (RBAC): Users assigned to roles (analyst, reviewer, admin); each role has specific permissions
• Principle of Least Privilege: Users given only minimum permissions needed; no default admin access
• Scope-Level Isolation: Users can only access engagements they are authorized to work on
• Segregation of Duties: Data analyst cannot approve reports; requires independent reviewer

Network Access Control:

• Firewall Rules: All inbound connections restricted; only authorized traffic allowed
• VPN Requirement: Remote access only via secure VPN with certificate authentication
• IP Whitelisting: Office networks and approved client locations only

5. Audit Logging & Monitoring

Complete audit trail maintained for all system activities, enabling forensic analysis and compliance verification:

What Is Logged:

• User Activity: Login/logout, file access, data queries, report generation
• System Events: Software updates, configuration changes, error conditions
• Security Events: Failed authentication attempts, unauthorized access attempts, policy violations
• Data Access: All reads/writes to operational data; timestamp, user ID, action type

Log Protection & Retention:

• Immutable Logging: Logs cannot be modified or deleted (write-once format)
• Encrypted Storage: Logs stored encrypted and access-controlled
• Retention Policy: Logs retained for minimum 5 years per compliance requirements
• Off-site Backup: Duplicate logs stored in isolated secure location

Real-Time Monitoring:

• SIEM (Security Information & Event Management): Continuous monitoring and alerting for suspicious activity
• Anomaly Detection: Machine learning detects unusual patterns (unusual access times, bulk downloads, etc.)
• Incident Response: Automated alerts trigger incident response team for severity level assessment

6. Incident Response & Crisis Management

CSAD maintains a formal Incident Response Plan aligned with ISO 27035:

Detection & Classification:

• Continuous Monitoring: 24/7 security monitoring for incident detection
• Classification Matrix: Incidents classified by severity (Critical/High/Medium/Low)
• Escalation Path: Defined roles and communication procedures based on severity

Incident Response Phases:

• Containment: Isolate affected systems to prevent spread
• Investigation: Forensic analysis to determine scope and cause
• Remediation: Fix vulnerabilities and restore systems to secure state
• Notification: Inform affected parties per legal requirements (72-hour GDPR rule)
• Post-Incident Review: Root cause analysis and preventive measures

Business Continuity:

• Backup & Recovery: Daily encrypted backups; recovery time objective (RTO) of 4 hours
• Failover Systems: Hot standby systems ready for immediate activation
• Disaster Recovery Testing: Quarterly DR drills to verify recovery procedures

7. NIS2 Directive Compliance

CSAD infrastructure aligns with the core requirements of the EU NIS2 Directive:

Risk Management (Article 20):

• Regular risk assessments identifying vulnerabilities
• Proportionate risk treatment with technical and organizational controls
• Continuous monitoring and reassessment of security posture

Incident Management (Article 21):

• Formal incident detection and response procedures
• Incident classification and severity assessment
• Mandatory notification to relevant authorities within legal timeframes
• Post-incident review and continuous improvement

Supply Chain Security (Article 23):

• Vendor assessment and security requirements
• Code review and vulnerability scanning
• Software supply chain integrity verification
• Regular security audits of dependencies

Cryptographic Measures (Article 24):

• Advanced encryption standards (AES-256, TLS 1.3) for data protection
• Regular cryptographic key rotation
• Post-quantum cryptography roadmap for future readiness

Personnel & Governance (Articles 25-26):

• Background checks for all staff with system access
• Annual security awareness training for all personnel
• Designated Chief Information Security Officer (CISO)
• Board-level oversight of cybersecurity strategy

8. GDPR Compliance

CSAD processes operational data as a processor under GDPR Article 28, with strict data protection obligations:

Data Processing Agreement:

• Signed Data Processing Agreement (DPA) with all clients
• Clear definition of processing scope, purpose, and legal basis
• Itemized list of processing instructions and compliance obligations

Data Subject Rights:

• Access: Subject can request copy of their data; CSAD provides within 30 days
• Rectification: Inaccurate data corrected upon request
• Erasure: Data deleted upon request (subject to legal holds)
• Portability: Data provided in portable format for transfer to other processors

Breach Notification:

• Breach detected and reported to Data Controller within 72 hours
• Investigation determines scope and impact
• Controller notifies Data Subjects if high risk to rights/freedoms
• National authority notified if required

9. Scope Control & Authorized Testing

The agent performs authorized testing only. Active actions are constrained by ScopeGuard and recorded end-to-end:

ScopeGuard Allowlist:

• Only pre-registered, owned assets can be targeted; everything else is denied
• Dry-run is available so actions can be simulated first
• Tools run via a binary allowlist, never with shell injection
• Rate-limiting prevents disruptive or excessive scanning

Auditability & Reproducibility:

• Every decision and action is recorded in an immutable audit log
• Deterministic scoring (no eval) makes results reproducible
• Hash verification confirms integrity of stored intel and findings

Responsible Disclosure:

• In-scope findings are reported through coordinated vulnerability disclosure
• No exploitation or data exfiltration is performed by the agent
• Decisions on remediation remain with the client's security team

10. External Audit & Certification

CSAD infrastructure undergoes regular independent security audits:

Annual Security Audit:

• Independent third-party penetration testing by certified security professionals
• Vulnerability scanning and remediation verification
• Code review focusing on security vulnerabilities and cryptographic integrity

Compliance Certification:

• ISO/IEC 27001: Information Security Management System certification
• SOC 2 Type II: Security, availability, processing integrity, confidentiality, and privacy audit
• NIS2 Compliance Assessment: Annual review by independent auditor

Audit Reports:

• Audit findings documented and tracked to resolution
• Remediation work verified by independent reviewer before closure
• Summary reports provided to stakeholders (clients, regulatory bodies, board)